CVE-2017-3138: named exits with a REQUIRE assertion failure if it receives a null command string on its control channel
Posting date:12 April 2017
Versions affected:9.9.9->9.9.9-P7, 9.9.10b1->9.9.10rc2, 9.10.4->9.10.4-P7, 9.10.5b1->9.10.5rc2, 9.11.0->9.11.0-P4, 9.11.1b1->9.11.1rc2, 9.9.9-S1->9.9.9-S9
Exploitable:Remotely, from hosts that are within the ACL permitted access to the control channel
named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc.
A regression introduced in a recent feature change has created a situation under which some versions of named can be caused to exit with a REQUIRE assertion failure if they are sent a null command string.
The BIND control channel is not configured by default, but when configured will accept commands from those IP addresses that are specified in its access control list and/or from clients which present the proper transaction key. Using this defect, an attacker can cause a running server to stop if they can get it to accept control channel input from them. In most instances this is not as bad as it sounds, because existing commands permitted over the control channel (i.e. "rndc stop") can already be given to cause the server to stop.
However, BIND 9.11.0 introduced a new option to allow "read only" commands over the command channel. Using this restriction, a server can be configured to limit specified clients to giving control channel commands which return information only (e.g. "rndc status") without affecting the operational state of the server. The defect described in this advisory, however, is not properly stopped by the "read only" restriction, in essence permitting a privilege escalation allowing a client which should only be permitted the limited set of "read only" operations to cause the server to stop execution.
CVSS Score: 6.5
None. However, in a properly configured server, access to the control channel should already be limited by either network ACLs, TSIG keys, or both.
No known active exploits
Solution: Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from http://www.isc.org/downloads.
BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers.
New maintenance releases of BIND are also scheduled which contain the fix for this vulnerability. In addition to the security releases listed above, fixes for this vulnerability are also included in these release candidate versions:
Acknowledgements: ISC would like to thank Mike Lalumiere of Dyn, Inc., for bringing this issue to our attention.
Document Revision History:
1.0 Advance Notification 20 March 2017
See our BIND9 Security Vulnerability Matrix at https://kb.isc.org/article/AA-00913 for a complete listing of Security Vulnerabilities and versions affected.
If you'd like more information on ISC Subscription Support and Advance Security Notifications, please visit http://www.isc.org/support/.
Do you still have questions? Questions regarding this advisory should go to firstname.lastname@example.org. To report a new issue, please encrypt your message using email@example.com's PGP key which can be found here: https://www.isc.org/downloads/software-support-policy/openpgp-key/. If you are unable to use encrypted email, you may also report new issues at: https://www.isc.org/community/report-bug/.
Note: ISC patches only currently supported versions. When possible we indicate EOL versions affected. (For current information on which versions are actively supported, please see http://www.isc.org/downloads/).
ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found here: https://kb.isc.org/article/AA-00861/164/ISC-Software-Defect-and-Security-Vulnerability-Disclosure-Policy.html
This Knowledge Base article https://kb.isc.org/article/AA-01471 is the complete and official security advisory document.